Despite the fact that many security experts have been encouraging — even imploring — organizations to think differently about their end users and focus on building a culture of security from the top down, infosec professionals still yearn for a technical solution to employee-driven cybersecurity woes, phishing in particular. This is, frankly, totally understandable. As humans, we all long for “magic bullet” solutions to pressing and wide-ranging problems, and often hope that the path of least resistance will take us to our desired destination.
Certainly, end-user security awareness training is not a path of least resistance. But it is a path worth walking, on a number of levels. Here’s just one reason why:
You say: “Forget security awareness training. It doesn’t work, and I’d rather put my time and money into technology-based defense-in-depth strategies.”
Your end users hear: “I can do whatever I want because IT will fix it.”
No, a security awareness and training program will not eliminate risk (and thinking anything will is a pursuit we’ve cautioned against in the past). And, yes, there are users who won’t “get it,” no matter how often you explain it. But there are also plenty of people who will understand, and even many who will relish the idea of learning how to be more cyber-savvy.
Shoring up this last line of human defense — even marginally — can have measurable benefits:
- A reduction in the number of successful phishing attacks within your organization
- Increased reporting of suspicious email messages
- Fewer helpdesk calls
- Less time spent remediating infected machines
Find out why BT and KPMG think cybersecurity education is critical to risk management.
Improvements in these areas put time back into your day and dollars back into your budget. But the only way to get there is to teach users that their actions matter and that technology isn’t a blanket protection for their data or yours.
Plus, there’s another benefit to delivering an effective, ongoing security awareness training program: It allows you to improve security in areas beyond the phish as well. In addition to cleaning up corporate email use, you can start to change the behaviors of users who:
- check personal email on corporate-issued PCs
- log into social media accounts on corporate-issued PCs
- stream and download media on corporate-issued PCs
- shop online on corporate-issued PCs
- log into corporate systems on personal smartphones and tablets
- access open WiFi networks on devices that are linked to corporate systems
Don’t be blind to the potential reach of end-user risk. Our User Risk Report revealed that the types of actions noted above are happening regularly — and that many workers even allow their friends and family to use their work devices for personal pursuits.
Think we’re bluffing about the upside to security awareness and training? Consider this: Virtually every cybersecurity misstep by an end user can be whittled down to a binary decision point: Do I or don’t I? The questions for you is: Am I teaching my users how to play the game or am I expecting them to get by on luck alone?
We feel it’s time to deal your users in and give them a seat at the security table. When it comes to infosec, technology is king … but your employees can be your ace in the hole.